A new report lays out 20 recommendations for how the payments industry can elevate its game in preventing cyber attacks. A rising focus on cyber hygiene will lift the whole industry.

Joy web portrait

Protecting their organisation against cyber threats has moved up the agenda for C-suites in banks and other payment institutions during the Covid-19 pandemic. According to a recent BAE Systems’ ‘Covid Crime Index 2021’ report, 74% of banks experienced a rise in cyber crime since the pandemic began, and three out of four financial institutions worrying about the historic rise in criminal activity and what will happen going forward.

Going it alone against the professionally organised, globally coordinated, and highly innovative and incentivised mass cyber criminal networks is not going to be enough. To address this challenge, Payments 20 (P20), an advocacy group for the payments industry, has launched a report providing top tips for improving cyber security defences.

Together with financial institutions, cyber security experts and government officials, including American Express, Elavon, Hogan Lovells, JPMorgan Chase, the UK National Cyber Security Centre and New York State Department of Financial Services, P20 has developed a standardised approach to protect the industry as a whole, especially smaller organisations.

Aimed at non-cyber experts, the P20’s report, entitled ‘20 Best Practice Recommendations for Improved Cyber Security Protection’, covers five areas:

  1. Network security
  2. Data handling
  3. Employee awareness
  4. Actions before a cyber attack occurs
  5. Actions immediately after a cyber attack occurs

While many of the recommendations relate to good cyber hygiene, a tip that has garnered attention more recently is understanding the cyber risk embedded in the supply chain. In the report, Michael Papay, executive vice-president, technology risk and information security at American Express, pointed out that “hidden third parties or fourth party suppliers” are the weak links in the payments network. Importantly, institutions are realising that cyber security doesn’t stop at their gates, but needs to be addressed throughout the supply chain to ensure the entire payments network remains secure.

Another strong theme in the report is the realisation that no matter how vigilant they are, there is a high likelihood that every institution will be targeted by threat actors at some point. Therefore, being prepared for such an attack is vital and the P20 report recommends that every organisation develop an incident response plan and test it regularly through tabletop exercises. In addition, organisations should engage outside legal counsel and a third-party forensic incident response firm, so that any type of report will be protected by attorney-client privilege.

The experts interviewed for the report point out that there is no end game when it comes to cyber security, because the threat landscape is constantly evolving and attacks are becoming more sophisticated. As Linda Lacewell, former superintendent of financial services, New York State Department of Financial Services, said: “The chair of the Fed is more worried about a cyber attack than he is about the kind of factors that triggered the last financial crisis in 2008. So, everybody should be worried about it. But I think it’s important not to feel overwhelmed. There are things that everybody can do, should do and must do to protect themselves [and] their counterparties.”

Joy Macknight is editor of The Banker. Follow her on Twitter @joymacknight

Register to receive the Editor’s blog and in-depth coverage from the banking industry through the weekly e-newsletter.


All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker

For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Top 1000 2023

Request a demonstration to The Banker Database

Join our community

The Banker on Twitter